It seems like the errors are all from R3 authority which from what I am seeing is related to LetsEncrypt. The odd thing is that it says the certificate is expired, but the error message shows that the certificates are within the correct time. This just all of a sudden started happening. Websites like amazon and google have no issues. Anyone else having this issue?
Final Update:
Fortinet KB Article: https://kb.fortinet.com/kb/documentLink.do?externalID=FD53305
Fortinet response: https://www.fortinet.com/blog/psirt-blogs/fortinet-and-expiring-lets-encrypt-certificates
Update your certificate bundle following /u/niffur00 instructions
A root certificate that is used by LetsEncrypt has expired https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
There are workarounds, but please be aware that your security posture may be reduced. It seems as if the old KB for the AddTrust External CA updated KB article has the same workarounds that others are suggesting in this post. https://kb.fortinet.com/kb/documentLink.do?externalID=FD49028. I donβt know what Fortinet is doing, but they updated this KB with info regarding DST Root CA X3, yet now they have removed all references to it. I believe the information is still relevant.
If you do choose to allow invalid certificates, may I suggest that instead of choosing to allow All, that you instead use the βCustomβ option and choose βTrust and Allowβ for expired certificates (if that is an option on your version).
Expect Fortinet to release a new certificate bundle, as /u/niffur00 suggests and the KB article describes, please be on the lookout for this new bundle and update when ready. My current certificate bundle reads version 1.00027. Apparently Fortinet has released a new certificate bundle version 1.00028. I am unable to confirm if this works, so please post your results.
Hello! I searched the sub for this topic but didn't find anything (if you do please link me, thank you :). )
Basically our uni blocks VPNs via DPI and I wanted to know if there is any way / vpn provider that bypasses this with some fancy protocol.
Thanks for your help! :)
So We just got a brand new Fortigate 200f firewall for our organization . We have about 100 active users and about 500-600 devices (smart phones , tablets, pcβs, macs, iot devices ) So we want to implement ssl certificate with deep packet inspection.
What is the simplest way of getting these certificates installed on each device ?
Hi,
I just had a thought today, and it may be obvious/common knowledge, but I see DPI being touted as a security feature and it always rubbed me the wrong way. I think I finally found a framework to express how it rubs me the wrong way.
So for context, I mostly work in cloud, but I know datacenter too and this still applies to datacenter networking. Current best practices are to implement what's called "zero trust", which is basically just an extension/rewording of older best practices of "don't make a big central firewall". So for zero trust to exist, there cannot be a central point of trust. To build on this, it is best practice, at least in cloud, to encrypt all data in transit (in AWS, all endpoints they give you from ALBs to SQS queues are all HTTPS) even if the traffic is "internal". So, to implement DPI in this setup, you route all traffic across a centralized point that inspects the traffic and applies rules, but its encrypted so you can only get the header information.
This leaves 2 possibilities:
- You only inspect the headers
- You decrypt SSL on device with injected certificates
If you only inspect the headers, then what's the point of a central firewall? Especially in cloud where everything gets a firewall through security groups or equilavent, though any ol' device can do basic header filtering with minimal overhead.
If you decrypt SSL, then that creates a central point of trust since it has certificates accepted by all devices and its also a central point for data collection.
Is there something wrong with this logic? It seems that common practice is to implement it but I don't see the actual benefit of implementing it.
Hi,
Recently I have been trying to setup a way to bypass DPI using a rasperry pi 4.
All of the tutorials that I have tried to follow have stopped working at some point.
Could somone send me one that has worked for them, or maybe reccomend a different option?
Any ideas what I might have missed here?
Thanks in advance!
Spider
Do you guys keep this enabled or disabled? I was looking to get the highest possible bandwidth out of my network
Does Microsoft have something against deep packet inspection? I have the certs set up right, our FortiGate is the issuer for all website certs I look at, and they show as valid with no certificate errors. This is on my workstation - I have a separate policy for traffic from my workstation's IP and that's all that is being deep inspected (testing purposes). I can browse the Microsoft store but cannot download apps due to error code 0x80072F8F, but it works if I disable deep inspection. Nothing is being blocked by the web or app filter. I googled the error code and it seems to be SSL related, and it appears some people get this for Windows Update and Activation too (I haven't, but that could be because we have WSUS and I haven't reinstalled Windows since turning DPI on). What needs to be done to get communication with Microsoft to honor the same trusted CA's that everything else honors? I know I can create an exception and just not inspect traffic to M$ but I'd rather get it working correctly.
So far governments have generally speaking said: alright we will allow your Bitcoin.
This is because right now Bitcoin just moves fiat around from the pockets of losers to the pockets of winners. The government don't give a shit about that. Fiat goes in, fiat comes out. Not a problem.
But if this ever changes, and it migth (we are working hard on changing this)
Goverments around the world can get together in their G9 bildeberg meetings or whatever they call em and the 0.001% can all agree to make crypto illegal.
This means:
-
ISP's will be forced by law to do deep packet inspection and shut your internet down if you are running a node.
-
Every exchange that is a bank will lose their banking license
-
Every centralised exchange will be shut down and their fiat assets frozen by a request to their bank that the bank by law has to follow.
Now 1 BCH will still be 1 BCH even if every cex goes offline.
But users risking t heir ISP's shutting down their internet when Bitcoin related traffic is detected.
That is HUGE issue.
Let's say that 2 years from now this will happen in The USA and the UK first and 1 year later in most european countries,.
Let's say within 5 years this will happen in most european countries.
How do we counter this TODAY? Or do we just hope it won't happen.
Or will Spacex soon be the only internet that will allow Bitcoin traffic so that Elon Musk can control like absolutely everything?
Hi, guys, my old vpn was blocked by my isp so I have to change one. I choose outline because it is easy to deploy.But I've heard that shadowsocks traffic can be analysised by deep packet inspection,also the article
https://medium.com/jigsaw/introducing-outline-making-it-safer-to-break-the-news-feda4d047b4
states that Outline supports modern AEAD 256-bit cipher encryption and is resistant to probing and stronger against protocol fingerprinting, which makes it significantly harder to block by modern deep-packet-inspection software.
Can somebody tells more detail? Does outline really resists deep packet inspection?
I'am in an very restrictive Network. Wireguard on Port 53 not Working. Openvpn with or without Shadowsocks also not working i receive following error. With a bit reverse engineering i found out, that they using a zscaler appliance with DPI on Port 443. Do someone have an advise for me. I'am using the official Mullvad App.
"2021-04-19 13:19:42 WARNING: Bad encapsulated packet length from peer (5379), which must be > 0 and <= 1626 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]"
Bit of rambling here sorry. Looking for general thoughts/feedback.
Having a lot of trouble with decision overload and researching how best to secure my homelab.
I bought an itx machine with intel 4160 and 4gb ram to run pfsense because I thought "Deep Packet Inspection" was a must have feature. (haven't yet set it up)
Since then I've been seeing a few comments that DPI is worthless these days because you can't inspect https (which mostly everything is now).
You can unencrypt https to inspect but that's a security concern in itself, because you shouldn't be "man in the middle-ing" yourself.
What are homelab's thoughts?
If DPI is pointless then I will start my research again because tbh everything was focused around having DPI support.
My ideal goal is I want a good firewall than can zone different devices. IOT devices in one zone, wifi (that visitors connect to) in another zone, and my servers/pc in another zone.
What options would you consider more beginner friendly? I haven't done much security/networking so a nice GUI that's easy to understand will be a huge bonus. I really want this to be as ironclad secure as possible.
Secondary wishlist is... Is there a nice firewall/routing solution that would run on a Raspberry Pi? (With a usb 3 gigabit adapter for second Ethernet port)
In the long term I want to convert all my homelab stuff to Rasperry Pi 4B's. None of my servers are doing anything intensive so I'd love to go all Pi's :-) But less important for now
Thanks guys
Saw u/geerlingguyβs video on the dual NIC CM4 host boards and really want to play with it. But what do I need two NICs for? I already have a very capable router.
I could use it as a firewall, but the router (Mikrotik RB4100) already has this built in.
So I was wondering what else I could use it for, positioned in between the router and fiber media box, deep packet inspection. Or would there be zero point to that as itβs just way too slow?
(On a 1000/300 connection)
So if most internet traffic now days is encrypted what's the point of deep packet inspection on the sonicwall? Also I notice one of our sonicwalls has an expired security license so the deep packet features don't work, but yet, the sonicwall itself is still performing the deep packet inspection and slowing down traffic.
What's the point of having the sonicwall inspect traffic if number 1 you don't have a license for it. Or number 2 everything is basically encrypted anyway? I'm just curious, does deep packet inspection actually perform any benefit? I constantly have to turn it off.
On the sonicwall with the security license, deep packet inspection gives me a little bit more visibility into my layer 7 network traffic, on my bandwidth graphs. I can see facebook traffic vs aspera traffic or whatever. Is that the only benefit?
Recently joined the Unifi ecosystem after several years with Cisco Meraki, and one thing I haven't yet found is how to see more detailed information about which hosts that a given client is accessing.
This is the sort of information I used to be able to see with the Meraki setup:
https://i.imgur.com/O4k2ZVE.png
Compare with the Unifi:
https://i.imgur.com/AyAvxnN.png
I'd like to start tuning firewall rules for my IoT devices since some of them do rely on internet connectivity, but it's difficult to build and troubleshoot these if I cannot see the hosts they're talking to.
Hi all,
Just wondering if anyone has attempted to do DPI on Zoom traffic? I'm looking to log Zoom chat traffic between students (we're an education institution). Currently Zoom is in the SSL exclusion list and I looking at taking it out of the list however whenever I do, Zoom complains that there is an issue with the certificate. I am wondering if there is some way of allowing the app to trust the Firewall certificate, (i.e. similar to Google Drive File Stream roots.pem allows you to merge the file together or a registry/policy option) so we can start logging data in FortiAnalyzer.
Any ideas would be greatly appreciated.
I see videos of people using DPI on their Unifi networks and its incredible. I've spent the money and they are some great products but the DPI isnt anything like it is in videos from just 3 years ago. What happened?
Is there any alternative that achieves what this used to be able to do?
In last 3 months, I'm verifying the patent claim by replicating it with code and data.
First, I spent two months to write a TCP packet sorter. Then I collected home traffic for a month where I mixed v2ray traffic with other normal network traffic.
Last night, I stopped capturing packet data and started to build a classifier. I spent two hours to write a 1D Convolution Neutral Network to do binary classification on v2ray traffic and non-v2ray traffic.
To my surprise, I can achieve classification accuracy rate up to 98.86%. In a nutshell, the patent claim is real.
I shared my classification model in Python notebook and findings in my blog post.
Hey Guys,
We have a sonicwall and itβs anti-gateway (IPS) virus app viz license has expired years ago. Iβm still able to update firmware by downloading from our sonicwall account. So the firewall is up to date.
So Iβve noticed that by default the deep packet inspection (DPI) is turned on, for the allow all rule on the LAN to outbound traffic.
Some of our users are complaining of poor upload speed. I have to disable DPI on the endpoint IP in order for full speed to occur.
In order to disable DPI, I had to manually add an access rule to match the endpoint IP in the LAN to WAN rules and then disable DPI. After the disable, bandwidth speeds improved and CPU consumption is also reduced.
Now, to my question. If I donβt have the Intrusion Prevention System license activated, is the DPI actually doing anything other than slowing down my network and consuming CPU cycles?
-MUD
Does anyone know from where exactly DPI is pulling its stats?
Set up the UDM around 90 mins ago and DPI for my laptop is showing over 5 TB.
It looks like it pulled historic data because I can guarantee if I did 5 TB domestic in 90 mins the CEO of my ISP would personally knock on my door and disconnect me.
